Laptop theft: catching the incompetent ones

By way of The Unofficial Apple Weblog comes this story of criminal ineptitude. A Macintosh user traced her stolen laptop and identified the criminals responsible by using nothing more than standard OS X features. Alerted by a friend that her missing laptop appeared to be online (because she was signed in to an instant messaging application, another case of COTS software doubling as security alarm) the owner used the Back To My Mac functionality to remotely connect to the machine. She turned on the built-in iSight camera and a few minutes later was rewarded with a live view of the perpetrators. Luckily they turned out to be familiar faces who attended a party at her residence earlier. Law enforcement must have gotten a good laugh out of this one.

Great story but this is still a case of the old adage about cybercrime: “we catch the dumb ones.” The thieves in this case made made several mistakes: for started they booted up the machine using the existing operating system. That alone would have given any protection software the chance to hop on any open wireless network in the vicinity and send out a cry for help to some server in the cloud. On top of that they decided to connect the laptop to a network, without a firewall to block incoming remote connections. The machine was left running in this state for several hours, not realizing that several application were designed to automatically login to services. Even without a user being able to remotely command the laptop, these logins alone would have created a trail of evidence linking them to the machine. This is how service providers often get dragged into theft cases. Suppose the user configured their OS to automatically login  a particular user after boot and also saved their password with Yahoo Messenger for auto-login. Each time the stolen machine is booted, Yahoo will see its IP address and anyone on the user’s contact list will notice user presence. That includes the original owner: most instant messaging applications are designed to log out the user from one machine after a more recent login at another machine. The clueless criminal is up against serious pitfalls.

But professionals would have been home safe: wiping out the drive or swapping in a new one is a good start. This implies the loss of any software on the machine so it’s understandable why perpetrators would be motivated to resell the machine intact. The market is awash in “laptop recovery” solutions, all of which are based on the idea of calling home when the laptop decides it has gone AWOL. Most of them depend on software running on the computer and a network connection. If the drive is wiped out or swapped with a new one, that protection is moot. Some of them also claim to protect the data on the drives– but that is best reserved for full volume encryption solutions such as Bitlocker or PGP. Tracking is not about the value of data on the drive, which can be protected cryptographically, but the cost of the hardware itself.

At least one product claims that it can use GSM for remotely tracking and destroying data on the laptop. (Interestingly their product literature presages the Mac story by suggesting that in some cases perpetrators picture can be recovered using an integrated camera on the laptop.) Having this independent channel is a major improvement. With stories of remote tracking in the news, would-be-thieves will become more reluctant to connect them to a machine. But the machine still has to be booted for the recovery software to function. If the drive is removed first, it can be mounted from another machine and the data recovered. There is no substitute for encryption in this case.

Even with hardware support, there is no reliable way of tracking a laptop. One can imagine implanting tracking beacons that report their location to a remote server. The problem is GPS requires line of sight to satellites (does not work indoors) and cellular connections require reliable reception– does not work in remote area and can be jammed.  Finally if the adversary suspects the existence of tracking devices, they could open the laptop and attempt to remove it completely. This is why LoJack devices are hidden in one of dozens of possible locations in a car. The internals of a laptop offer few opportunities for stashing away relatively bulky electronics.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s